Mailinglist Archive: opensuse (929 mails)

< Previous Next >
Re: [opensuse] Re: nginx uid:gid
On Wed, 2014-03-26 at 17:52 -0700, Linda Walsh wrote:
lynn wrote:
Thanks, that sounds good. We've an app where the devs want to rw stuff
to their public_html folder. Apache writes as wwwrun:www whereas the
13.1 nginx writes as nginx:nginx: they can't edit their files any
I don't see a problem with the way you have it setup -- especially since
in your case, it sounds like nginx is being run *instead* of apache,
so keeping the UID/GID the same as what it was before provides
a more seamless upgrade.

I appreciate having daemons running under their own separate user id
-- and not a generic one for all, since a security problem in one daemon
gives access to all daemons files running under the same UID/GID.
Having each in it's own UID/GID allows for finer access control
as well.

Another way you might think about 'someday', is to use ACL's and
a "default acl" on the directories that can give extended access by
group or user name *OR* just use setGID on the directories and
have their group set to 'www', so all files created in them will
end up in 'www'. Would still need to make sure processes that
execute in those dirs have umasks set to something like 002.

But if what you have works, no need to change it till the next
upgrade... ;-)

Yeah, I'm surprised. Simply changing the uid:gid in nginx.conf seems to
have done it. We'd tried setfacl-ing nginx rwx on the public_html
folders too but again, it's no good for the stuff that's already there
with wwwrun:www.

(BTW -- To go through all folders and set such bits, (GID or ACLs),
one would likely use 'find' (all files & dirs owned by
'www', for example and pipe that into xargs...but you likely already
know that)).
Yes, good idea. Got it. But hoping we won't have to. We've down time
Sunday. We plan to go live with it and leave it in place for Monday
morning with lots of practise switching between nginx and apache during
the downtime. In fact, it's a little more complicated than that. The
switch is from apache/mod-php5 to nginx/php-fpm

Thanks for your clear explanations.
L x

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >